tiff bugzilla #2508

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=72
2016-01-11 10:12:16 +00:00 · 2016-01-11 10:12:16 +00:00 · a4befe7391
commit a4befe7391
parent 734609a0ab
3 changed files with 49 additions and 1 deletions
--- a/tiff-4.0.6-nextdecode-oob.patch
+++ b/tiff-4.0.6-nextdecode-oob.patch
@ -0,0 +1,36 @@
+--- libtiff/tif_next.c	29 Dec 2014 12:09:11 -0000	1.16
+++ libtiff/tif_next.c	27 Dec 2015 17:14:52 -0000	1.18
+@@ -37,7 +37,7 @@
+ 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
+ 	case 1:	op[0] |= (v) << 4; break;	\
+ 	case 2:	op[0] |= (v) << 2; break;	\
+-	case 3:	*op++ |= (v);	   break;	\
+	case 3:	*op++ |= (v);	   op_offset++; break;	\
+ 	}					\
+ }
+ 
+@@ -103,6 +103,7 @@
+ 		}
+ 		default: {
+ 			uint32 npixels = 0, grey;
+			tmsize_t op_offset = 0;
+ 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
+             if( isTiled(tif) )
+                 imagewidth = tif->tif_dir.td_tilewidth;
+@@ -122,10 +123,15 @@
+ 				 * bounds, potentially resulting in a security
+ 				 * issue.
+ 				 */
+-				while (n-- > 0 && npixels < imagewidth)
+				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ 					SETPIXEL(op, grey);
+ 				if (npixels >= imagewidth)
+ 					break;
+                if (op_offset >= scanline ) {
+                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+                        (long) tif->tif_row);
+                    return (0);
+                }
+ 				if (cc == 0)
+ 					goto bad;
+ 				n = *bp++, cc--;
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Jan 11 09:48:49 UTC 2016 - fstrba@suse.com
+
+- Added patch:
+  * tiff-4.0.6-nextdecode-oob.patch
+    - Fix potential out-of-bound write in NeXTDecode() triggered by
+      http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (#2508,
+      bsc#942690)
+
 -------------------------------------------------------------------
 Tue Dec  8 15:55:30 UTC 2015 - p.drouand@gmail.com

--- a/tiff.spec
+++ b/tiff.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tiff
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,8 @@ Source3:        baselibs.conf
 Patch0:         tiff-4.0.3-seek.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2442
 Patch1:         tiff-4.0.3-compress-warning.patch
+# http://bugzilla.maptools.org/show_bug.cgi?id=2508
+Patch2:         tiff-4.0.6-nextdecode-oob.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtool
@ -94,6 +96,7 @@ the libtiff library.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p0

 %build
 CFLAGS="%{optflags} -fPIE"